$username = "";
if (isset($_POST["username"])) {
$username = cleanValue($_POST["username"]);
}
$password = "";
if (isset($_POST["password"])) {
$password = $_POST["password"];
}
global $gCms;
$userops =& $gCms->GetUserOperations();
$oneuser =& $userops->LoadUserByUsername($username, $password, true, true);
debug_buffer("Got user by username");
debug_buffer($oneuser);
if ($username != "" && $password != "" && isset($oneuser) && $oneuser == true && isset($_POST["loginsubmit"])) {
debug_buffer("Starting login procedure. Setting userid so that other pages will pick it up and set a cookie.");
generate_user_object($oneuser->id);
$_SESSION['login_user_id'] = $oneuser->id;
$_SESSION['login_user_username'] = $oneuser->username;
$default_cms_lang = get_preference($oneuser->id, 'default_cms_language');
if ($default_cms_lang != '') {
#setcookie('cms_language', $default_cms_lang);
$_SESSION['login_cms_language'] = $default_cms_lang;
}
audit($oneuser->id, $oneuser->username, 'User Login');
#Now call the event
Events::SendEvent('Core', 'LoginPost', array('user' => &$oneuser));
// redirect to upgrade if db_schema it's old
$current_version = $CMS_SCHEMA_VERSION;
$query = "SELECT version from " . cms_db_prefix() . "version";
$row = $db->GetRow($query);
if ($row) {
/**
* Checks to see if the user is logged in. If not, redirects the browser
* to the admin login.
*
* @since 0.1
* @param string no_redirect - If true, then don't redirect if not logged in
* @return boolean
*/
function check_login($no_redirect = false)
{
$config = cmsms()->GetConfig();
//Handle a current login if one is in queue in the SESSION
if (isset($_SESSION['login_user_id'])) {
debug_buffer("Found login_user_id. Going to generate the user object.");
generate_user_object($_SESSION['login_user_id']);
unset($_SESSION['login_user_id']);
}
if (isset($_SESSION['login_cms_language'])) {
debug_buffer('Setting language to: ' . $_SESSION['login_cms_language']);
cms_cookies::set('cms_language', $_SESSION['login_cms_language']);
unset($_SESSION['login_cms_language']);
}
if (!isset($_SESSION["cms_admin_user_id"])) {
debug_buffer('No session found. Now check for cookies');
if (isset($_COOKIE["cms_admin_user_id"]) && isset($_COOKIE["cms_passhash"])) {
debug_buffer('Cookies found, do a passhash check');
if (check_passhash($_COOKIE["cms_admin_user_id"], $_COOKIE["cms_passhash"])) {
debug_buffer('passhash check succeeded... creating session object');
generate_user_object($_COOKIE["cms_admin_user_id"]);
} else {
debug_buffer('passhash check failed... redirect to login');
$_SESSION["redirect_url"] = $_SERVER["REQUEST_URI"];
if (false == $no_redirect) {
redirect($config['admin_url'] . "/login.php");
}
return false;
}
} else {
debug_buffer('No cookies found. Redirect to login.');
$_SESSION["redirect_url"] = $_SERVER["REQUEST_URI"];
if (false == $no_redirect) {
redirect($config['admin_url'] . "/login.php");
}
return false;
}
}
debug_buffer('Session found. Moving on...');
global $CMS_ADMIN_PAGE;
if ($config['debug'] === false && isset($CMS_ADMIN_PAGE)) {
if (!isset($_SESSION[CMS_USER_KEY])) {
// it's not in the session, try to grab something from cookies
if (isset($_COOKIE[CMS_SECURE_PARAM_NAME])) {
$_SESSION[CMS_USER_KEY] = $_COOKIE[CMS_SECURE_PARAM_NAME];
}
}
// now we've got to check the request
// and make sure it matches the session key
if (!isset($_SESSION[CMS_USER_KEY]) || !isset($_GET[CMS_SECURE_PARAM_NAME]) || !isset($_POST[CMS_SECURE_PARAM_NAME])) {
$v = '<no$!tgonna!$happen>';
if (isset($_GET[CMS_SECURE_PARAM_NAME])) {
$v = $_GET[CMS_SECURE_PARAM_NAME];
} else {
if (isset($_POST[CMS_SECURE_PARAM_NAME])) {
$v = $_POST[CMS_SECURE_PARAM_NAME];
}
}
if ($v != $_SESSION[CMS_USER_KEY] && !isset($config['stupidly_ignore_xss_vulnerability'])) {
debug_buffer('Session key mismatch problem... redirect to login');
if (false == $no_redirect) {
redirect($config['admin_url'] . '/login.php');
}
return false;
}
}
}
return true;
}
